An Uncensored Look at the OPM Breach – Part 2

You Cannot Be Careful Enough

During his panel at the 2016 CyberMaryland Conference, Richard Helms, Ntrepid Founder and Chief Executive, not only explored the adversary’s intent for the stolen data, but he also identified a major issue perforating its resolution: the national security community is not thinking broadly enough to protect today’s widely connected workforce. With this in mind, Helms advises that we cannot be careful enough with our online browsing, particularly opening links embedded in email messages.

In the early days of government organizations, access to the identity of employees in the national security community varied from hard to get to almost impossible to know. Obtaining information on their families was in many ways even more difficult. Today, particularly since the OPM breach, almost everyone who is part of the national security community is exposed, known for their employment affiliation and family and reference connection. And thanks to social media, a whole lot more is known about you and your family in ways that were never anticipated when our security procedures were first set up, nearly 7 decades ago.

One thing that has become abundantly clear is that technology needs to be developed that mitigates human error.

Now that the sensitive information of more than 22 million people is exposed, there are endless ways to encounter malicious attacks that most Internet users will not see coming. For this reason, we cannot rely on technology that depends on user behavior — people will always be vulnerable to clicking on links that are malware loaded websites, and accidentally give out their information to a hacker. Technology must count on attacks that humans will not avoid on their own.

Around 90% of undetected malware gains access through the browser. This fact, combined with the perception that the Chinese government, who Helms attributes the OPM breach to, work through asymmetric warfare, tells us that the Internet browser is especially vulnerable. The adversary will slowly and surely continue to pry information out of those OPM victims about whom they have an interest through the use of the Internet and are in a position to conduct more elusive, disruptive attacks if a political reason to do so emerges from stains in U.S./China relations.

There is no turning back time to rebuild the architecture that once sustained and protected the sensitive information of government personnel. The surest, quickest, and most efficient method to protect individuals going forward is to secure the Internet browser they use and prevent it from being an attack vector into their lives and the networks in which they participate.